Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1592
Views
0
Helpful
2
Replies

Strongswan VPN Cannot Ping Clients when Connected to RV042 Router with Multiple Devices Attached

atravelbea
Level 1
Level 1

‎05-25-2017 01:35 PM

I am having an issue with communicating with router nodes where there are more than one device connected (like PLC 2-4 below). There is a successful Ikev1 tunnel and packets (and pings) are getting sent through the tunnel (when tested from the VPN itself) but nothing is coming back. It's not clear if the devices on the other side are getting the messages. I can't ping neither the PLCs nor the router.

Nodes with only one device connected to the router (like PLC 1 below) are OK with the same settings.

This problem occurs with and without the firewall enabled on the VPN server.

If I ping 172.16.0.1 using the router's diagnostic menu, the connection works for a short time (a few minutes) and you can ping from the VPN to the PLC.

Is there a setting on the router that needs to be set, or is this a known issue?

PS. I know the settings aren't very secure (Phase 1 is only 768b and aggressive mode), but I'm having to use legacy settings for the devices.

**VPN Server:**
Ubuntu 12.04
Strongswan 5.5.2

**Cisco Router:**
RV042

**Node setup:**

VPN Server----Cisco Router (10.1.253.1)----PLC 1 (10.1.253.10)
                     \---Cisco Router (10.1.254.1)----PLC 2 (10.1.254.10)
                     \---PLC 3 (10.1.254.11)
                     \---PLC 4 (10.1.254.12)

**strongswan.conf**

charon {
 i_dont_care_about_security_and_use_aggressive_mode_psk = yes
 reuse_ikesa = no
 ikesa_table_size = 1024
 ikesa_table_segments = 16
 interfaces_use = eth0
 }


**ipsec.conf**

config setup
 charondebug=ike 3
 
 conn %default
 left=%defaultroute
 leftsubnet=172.16.0.0/12
 ikelifetime=2h
 margintime=10m
 rekeyfuzz=150%
 keyingtries=3
 keyexchange=ikev1
 authby=secret
 ike=3des-md5-modp768,3des-md5-modp1024,3des-md5-modp1536
 esp=3des-md5
 rekey=no

include /usr/local/etc/devices.*.conf


**devices.1.conf example**

...
 conn d253
   auto=route
   right=%any
   aggressive=yes
   rightsubnet=10.1.253.0/24
   rightid=d253

 conn d254
   auto=route
   right=%any
   aggressive=yes
   rightsubnet=10.1.254.0/24
   rightid=d254
 ...

**On VPN Server: ipsec status d254**

d254[3158]: ESTABLISHED 3 hours ago, 104.x.x.x[104.x.x.x]...185.y.y.y[d254]
 d254{6403}: INSTALLED, TUNNEL, reqid 1231, ESP SPIs: c11d2cb7_i 7cadedfe_o
 d254{6403}: 172.16.0.0/12 === 10.1.254.0/24

Thank you for your time.

Labels:
0 Helpful
2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

‎05-25-2017 08:54 PM

If there is only one VPN termination at each site (aka a single RV042) there should be a single connection entry for all the subnets.

What is devices.1.conf?

0 Helpful

atravelbea
Level 1
Level 1
In response to Philip D'Ath

‎05-25-2017 09:26 PM

Devices.1.conf contains the definitions for each connection name.  So using if the router uses the id d254, it is assigned 10.1.254.x by the VPN.

There is a single connection entry, but I can't ping any IPs on that connection unless I ping the VPN from the router on the other side.  And even with that the connection lasts anywhere from a couple minutes to half an hour.  Turning on DPD on the VPN to restart the connection doesn't seem to help, and Keep Alive is enabled on the router.

0 Helpful
Customers Also Viewed These Support Documents